Tuesday, April 30, 2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 12 new rules and made modifications to 84 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:

The Sourcefire VRT has added and modified multiple rules in the
blacklist, browser-plugins, exploit-kit, file-identify, file-other,
file-pdf, malware-cnc and tftp rule sets to provide coverage for
emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Many thanks to one of our very dedicated Snort Community members, William Parker. In his guides (also posted on the documentation page of Snort.org) he has embedded some Snort Startup scripts.

Because some people are having problems with copy and pasting out of the PDF documentation, so Mr. Parker put these startup scripts in their own files and sent them to me. I created a special section on Snort.org/docs just for startup scripts, and they are all there!

Many thanks to Mr. Parker for updating his scripts based on user feedback, and the new ones are now up.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Wednesday, April 10, 2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 45 new rules and made modifications to 26 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank Avery Tarasov for his contribution of rules:
26335
26370
26371

In VRT's rule release:

Details:
Microsoft Security Bulletin MS13-029:

Microsoft Remote Desktop Client contains programming errors that may
allow a remote attacker to execute code on a vulnerable system.
Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 26355 through 26365.

Microsoft Security Bulletin MS13-032:
A vulnerability in Microsoft Active Directory could lead to a denial of
service.
Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SID 26354.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

This release is a bug fix release that also introduce a few new features and enhancements

=====================UPGRADING REQUIREMENT=====================----------------------If you are upgrading to barnyard2 2-1.13 Build 325 or above from a previous version that is not 2-1.13 and using the output database.

***** We highly recommend ******To delete every row in your sig_reference table. (DELETE FROM sig_reference;) The table will be re-populated at process startup, and has no impact on historical data.----------------------=====================UPGRADING REQUIREMENT=====================

Feature request:----------------Phil Daws: Add interface and hostname field to spo_alert_csv if specified.

Jorge Pinto: spo_syslog_full support for ASCII,BASE64 payload

Jason Brvenik: variables .....(a long time ago, sorry :P)

Martin Olsson: Remove some useless verbosity unless ./configure --enable-debug is specified and proper flag are used (spo_database and sid-msg.mapv2)

Support for sid-msg.map Version 2 format.-------A new sig-msg.map format can be generated by pulledpok (upcoming release, already in svn). Detection of sid-msg.map version is done by a simple header in the file that shouldn't be altered if you want it to be processed correctly.

sig-msg.map version 2 format extend the information already present in the sid-msg.map file created from rules.

Barnyard2 configuration Variables -------You can now use [var VARNAME value] in the barnyard2 configuration file and every instance of $VARNAME will get replaced by value.Note that variable declaration order is important only you include a variable in a variable.EX (is VALID): var INTERFACE ethX var PATH /var/log/IDS var LOG $PATH/$INTERFACE/log var ARCHIVE $PATH/$INTERFACE/archive EX (is INVALID): var LOG $PATH/$INTERFACE/log var ARCHIVE $PATH/$INTERFACE/archive var INTERFACE ethX var PATH /var/log/IDS -------

new output database configuration keyword-------

Keywords connection_limit and reconnect_sleep_time where added in 2-1.10 but where "undocumented" and shouldn't be modified unless you encounter connectivity issue.

connection_limit <integer>: default 10 - The maximum number of time that barnyard2 willtolerate a transaction failure and or database connection failure.

reconnect_sleep_time <integer> : default 5 - The number of seconds to sleep between connection retry.

disable_signature_reference_table - Tell the output plugin not to synchronize the sig_reference table in the schema. This option will speedup the process, especially if you use sid-msg.mapv2 file or have a lot of signature already in databases. (Make sure that youdo not need that information before enabling this) -------

Enjoy and do not hesitate to send feedback/suggestion/feature request.

Friday, April 5, 2013

Thanks to William Parker, again, working tirelessly until his documentation is updated, I just posted all the 2.9.4.5 install docs that he makes, now available at the only official Snort Documentation site.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

A chart for the End-of-life for Snort rule versions is posted on our EOL Policy page: https://www.snort.org/eol. As always, it has been updated to include our latest release numbers. Please note that 2.9.4.0 is now slated for EOL on June 2nd, 2013.

******
Please Note:
We understand that there may be some confusion by moving from 2.9.4.1
to 2.9.4.5, and we apologize for that. We are aligning our internal
build numbers with our open source build versions to make versioning
and distribution easier on the backend. This will help us in ensuring
that the correct versions of rules are available for the supported
versions of Snort.
******

Snort 2.9.4.5 includes changes for the following:

[*] Improvements

* Removed proxy information from HTTP URI searching so that the URI
matches are just on the actual URI so that offsets work as expected.

Thanks to L0rd Ch0de1m0rt for reporting the issue.

* Addressed an issue when logging of packet data via unified2 when
alerting on a packet with multiple HTTP PDUs.

* Continue to search for patterns within the HTTP URI until the end of
the URI.

Tuesday, April 2, 2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 0 new rules and made modifications to 15 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:

The Sourcefire VRT has modified multiple shared object rules in the imap, multimedia,
netbios, smtp, specific-threats and web-misc rule sets to provide
coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!